I have been working at a client site where i am only interested in capturing SYN frames. I was unable to locate any way to set a capture filter that would accomplish this task. I was wondering if there is a way to capture using offset to the point where the TCP SYN flag is...? In display filter, I was able to set a filter "flags.tcp.syn", but for some reason, it did not show me only syn frames but alot of what looked like PSH ACK frames as well. Thanks for any advice or recommendations on how to capture just the SYN frames. kmnruser asked 22 Sep '10, 11:36  kmnruser |
One Answer:
The filter "tcp.flags.syn" will select all the frames that have the flag tcp.flags.syn, which will be every TCP packet. What you want to filter on is "tcp.flags.syn==1" to make sure you only select the frames which have the SYN bit set. You might even want to add "... and tcp.flags.ack==0" to make sure you only select the SYN packets and not the SYN/ACK packets. Now, back to the capture filter. You can use the filter "tcp[0xd]&2=2" which will capture all the frames with the SYN bit set (SYN as well as SYN/ACK). Or use "tcp[0xd]&18=2" to capture only SYN packets. answered 22 Sep '10, 11:55  SYN-bit ♦♦ edited 15 Feb '11, 12:10 |
SYNbit
Thanks for the great response! Those filters are exactly what I need, and it goes without say that they will make life easier moving forward. Awesome answer! KMNRUser
I think the correct filter for SYNs and SYN/ACKs is "tcp[0xd]&2=2"
You're absolutely right. I will change it, thanks!